Skip to content

Instantly share code, notes, and snippets.

jjj
jjj
jjjj
jjjj
jjjj
jjjj
jjjj
Ajj
jjj
jjjj

Keybase proof

I hereby claim:

  • I am mhaggis on github.
  • I am mhaggis (https://keybase.io/mhaggis) on keybase.
  • I have a public key whose fingerprint is FDB2 37EB CB74 CDB8 509B F1F6 DBDE 16A6 A0D4 DB9D

To claim this, I am signing this object:

<?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
<Sysmon schemaversion="3.20">
<HashAlgorithms>md5,imphash</HashAlgorithms>
<EventFiltering>
<ProcessCreate onmatch="include">
<Image condition="contains">cmd.exe</Image>
<Image condition="contains">powershell.exe</Image>
<Image condition="contains">wmic.exe</Image>
<Image condition="contains">cscirpt.exe</Image>
<Image condition="contains">wscript.exe</Image>
<Image condition="contains">net.exe</Image>
<!--
sysmon-config | A sysmon configuration for everyone
Public Version: 30
By @SwiftOnSecurity, with contributors credited in-line or on Git
https://github.com/SwiftOnSecurity/sysmon-config
Required Sysmon version: 5.02
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
NOTE: There is best-effort support for 32-bit systems, but it's not a test scenario and will require your own tuning.
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="AuditOnly" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured">
<FilePathRule Id="02cc3f4e-9ecb-4962-a7a0-830e889da641" Name="%OSDRIVE%\Users\%USERPROFILE%\Appdata\roaming\*.js" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\Users\%USERPROFILE%\Appdata\roaming\*.js" />
</Conditions>
{
"wmic": {
"process_name": ["wmic.exe"],
"cmdline": ["wmic shadowcopy delete"]
},
"Vssadmin": {
"process_name": ["vssadmin.exe"],
"cmdline": ["vssadmin delete shadows /all /quiet"]
},
"bcdedit": {
{
"Backblaze": {
"process_name": ["bztransmit.exe"]
},
"Box": {
"process_name": ["boxsync.exe",
"boxsyncmonitor.exe",
"syncupdaterservice.exe"]
},
"Carbonite": {
# ingress.event.process
# ingress.event.procstart
# ingress.event.netconn
# ingress.event.procend
# ingress.event.childproc
# ingress.event.moduleload
# ingress.event.module
# ingress.event.filemod
# ingress.event.regmod
# ingress.event.tamper
# ingress.event.procstart
# ingress.event.netconn
# ingress.event.processblock
# ingress.event.emetmitigation
# watchlist.hit.process
# watchlist.hit.binary
# watchlist.storage.hit.process
# watchlist.storage.hit.binary